OSCP: An Unexpected Journey

What’s an OSCP?
An adventure like no other, Offensive Security Certified Professional (OSCP) gives willing participants a chance to go from zero to hero in a self-paced certification process. When I say zero, I truly mean it…

There isn’t a “best practice” method to starting, working through or successfully navigating the OSCP course materials or exam but I’m hoping that this post helps those who might be on the fence to just give it a go!

1. Diving into the Deep End
I started my OSCP journey in January of 2017 and had little to no experience with anything offensive security related. I knew what Kali was. I knew what Metasploit was. I knew that NMAP was used in “The Matrix”.


Finding a starting point was extremely challenging for me; getting “dropped” into a network with 35+ machines that are all “hackable” was overwhelming. There is no right answer here, just spin up a scanner and start gathering information about the network, domain, potential users, etc.

2. Looking at the Bigger Picture
I found it beneficial to organize all that juicy collected network and domain-related data into a readable format. Maybe a spreadsheet with a tab for “Network Assets”, (detailing high-level information on each target) and a tab for “Domain Information” (detailing servers, users, and groups).

3. Finding that First (Critical) Target
Now that we have a full list of vulnerable targets, it’s go time. This is another extremely daunting part of OSCP and circles back to our first point – where the heck do we start? For sanity sake, and an opportunity to get your first shell, I (this is my personal opinion) would start with the oldest operating systems identified during the enumeration phase. It might be an easy first win and help build confidence. I also found it important to work on one target until root privileges were obtained.

4. Ask for Help, Everyone Needs it
There will be times you’ll want to throw something within your personal radius (best to nail important things down) but that’s part of the process. There will be times you’ll spend 4 hours on a single machine to suddenly realize that you’ve been digging the wrong way this whole time and that the answer was something you learned on a previous machine (this is why documentation is so important – but we’ll get to that).

Google is your friend! If you think of something, Google it. Think of it this way… someone has been in your shoes already, someone has figured it out and if they’re nice enough, they’ve blogged about it. There are endless resources available, including public and OSCP student forums, use them, don’t be afraid to ask for help on a topic that is brand new to you.

5. Building a Personal Toolset (Learn them, add them)
What tools are the best OSCP tools to use? This is a common question I’ve been asked and the answer isn’t as straightforward as one would hope. OSCP does a great job suggesting common tools to use in their introductory videos but that’s what they are, suggestions. Everyone uses different tools, and there is no wrong answer here. Sure, some tools might be more efficient than others but at the end of the day, if they both get the job done, then that’s a win in my book!

Some of you are probably still thinking – just list your favorite tools! Well, here’s some:

6. Test Time, Just go for it – and Keep Trying!
Some students will feel ready to challenge the exam after “shelling” 10 machines, other students will want to tackle as many as they can before taking the test. Again, there isn’t an exact science here, it’s all about personal preference. My opinion here is to just take the leap – just go for it, what’s the worse that’s going to happen? The whole premise of the OSCP certification is to Try Harder and to learn from your mistakes; failing an exam is just one of those learning lessons.

  • 1st Attempt
    After “shelling” close to 20 machines, I thought it was time to take that leap and attempt the daunting 24-hour OSCP exam… it definitely wasn’t. The exam started at 9am and I think I starred at my screen, literally shaking with nerves, for the first hour. Once I calmed myself down, I dove headfirst into multiple machines, trying to find an “easy win”, wasting another couple of hours. Before I knew it, I had only “shelled” one machine and been staring at my computer for close to 14 hours.Tips for next time: “Shell” more machines, read tutorials on advanced topics, take breaks, and eat regularly.
  • 2nd Attempt
    Fast-forward 2 months, and after “shelling” close to 40 machines, I thought this was my time and got ready to take the 2nd attempt. The nerves were substantially better this time around, but I struggled to get a “shell” on my first target and it rattled me. It took me roughly 6 hours to gain “shell” on that target and the test slowly became a race against the clock – and we can all guess who won that battle.Tips for next time: Sharpen skills with Hack-The-Box CTF Challenges, plan (forced) lunch and dinner dates with friends and family, and exercise at least once.
  • 3rd Attempt
    Now, 4 months after my initial exam, and (hopefully) learning from past experiences, it was time to take my third (and final) OSCP certification attempt. I grabbed that first “shell” within the first couple of hours, gained a second and third “shell” within the next 3 hours, then took a nice lunch break with some friends – hitting the mental reset button. I struggled throughout the afternoon, so I went for a run to clear my head, had a great dinner, then jumped back into it. Obtaining that final “shell” was an overwhelming experience and definitely worth all the heartache.

7. Documentation, it’s Important
One aspect of the OSCP certification that flies under the radar, in my opinion, is the need for lab and exam documentation. A student cannot pass the final exam without submitting documentation. I’m sure this frustrates more than a handful of students, but this is what separates this offensive certification from others –  it truly does prepare students for the real-world penetration testing projects.

Keep detailed notes on known networks, domains, users, communications.
Keep detailed notes on tactics, techniques, and Procedures (TTPs).

Your Turn!
OSCP will knock you down. OSCP might make you cry, but it’s definitely worth it.

As of early 2020, it’s been revamped, and with everyone being limited to home offices, now is a good of a time as ever to get started.

Revamped OSCP Course
Revamped OSCP Syllabus

Until next time!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s